1 / 70

Data Encryption Standard (DES)

INCS 741: Cryptography. Data Encryption Standard (DES). Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2010. Block Ciphers. Block Ciphers. Stream ciphers process messages a bit or byte at a time when en/decrypting Vigenère Cipher Caeser Cipher

akando
Download Presentation

Data Encryption Standard (DES)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INCS 741: Cryptography Data Encryption Standard (DES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2010 Dr. Monther Aldwairi

  2. Block Ciphers Dr. Monther Aldwairi

  3. Block Ciphers • Stream ciphers process messages a bit or byte at a time when en/decrypting • Vigenère Cipher • Caeser Cipher • Block ciphers process messages in blocks • Block are en/decrypted like a substitution on very big characters 64-bits or more • Hill Cipher block size 2 • DES block size 64 bits Dr. Monther Aldwairi

  4. Ideal Block Cipher Dr. Monther Aldwairi

  5. Shannon Properties of a Good Cryptosystem • Diffusion • Each plaintext digit affects the values of many ciphertext digits and visa versa. • Achieved by applying permutation then a function on data, forcing different plaintext digits to affect a single ciphertext digit • permutation (P-box) • Confusion • The key doesn’t relate in a simple way to ciphertext. • Ciphertext statistics cannot give the key up • Achieved by a complex substitution algorithm • substitution (S-box) Dr. Monther Aldwairi

  6. Feistel Cipher • Virtually all conventional block encryption algorithms have a structure described by Horst Feistel of IBM in 1973 • partitions input block into two halves • process through multiple rounds • each round performs a substitution on left data half based on round function of right half & sub key • then have permutation swapping halves • Implements Shannon’s S-P net concept Dr. Monther Aldwairi

  7. Feistel Cipher Structure Dr. Monther Aldwairi

  8. Dr. Monther Aldwairi

  9. Feistel Cipher Design Elements • block size: larger size improves security, but slows cipher • key size: increasing size makes exhaustive key searching harder, but may slow cipher. • number of rounds: increasing number improves security, but slows cipher • sub key generation algorithm: greater complexity can make cryptanalysis harder, but slows cipher • round function: greater complexity can make analysis harder, but slows cipher • fast software en/decryption: concern for practical use • ease of analysis: easier validation & testing of strength Dr. Monther Aldwairi

  10. Feistel Cipher Decryption Dr. Monther Aldwairi

  11. Data Encryption Standard (DES) Dr. Monther Aldwairi

  12. Data Encryption Standard (DES) • The most widely used block cipher • adopted in 1977 by NBS/NIST as FIPS PUB 46 • The plaintext is processed in 64-bit blocks • The key is 56-bits in length • Controversy over its security • Choice of 56-bit key (vs Lucifer 128-bit) • DES is public but design criteria were classified (S-box) • subsequent events and public analysis show in fact design was appropriate • use of DES has flourished in financial applications • still standard for legacy application use Dr. Monther Aldwairi

  13. Initial Permutation Round 1 Swap left and right halves Round 16 DES Overview- Encryption Generate 16 per-round keys 64-bit input 56-bit Key 48-bit K1 48-bit K16 Final Permutation Dr. Monther Aldwairi

  14. Initial Permutation Round 1 Swap left and right halves Round 16 DES Overview- Decryption Generate 16 per-round keys 56-bit Key 48-bit K16 48-bit K1 Final Permutation 64-bit input Dr. Monther Aldwairi

  15. DES Encryption Dr. Monther Aldwairi

  16. Initial Permutation IP • IP reorders the input data bits • Arrange into 8 × 8 table • Permute, even columns into rows followed by odd columns (write bits from bottom up) • Example IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb) Dr. Monther Aldwairi

  17. Dr. Monther Aldwairi

  18. 64-bit input 32-bit Ln 32-bit Rn 32-bit Ln 32-bit Rn Mangler function Mangler function Kn Kn 32-bit Ln+1 32-bit Rn+1 32-bit Ln+1 32-bit Rn+1 64-bit output A DES Round 64-bit input 64-bit output Dr. Monther Aldwairi

  19. DES Round Details • uses two 32-bit L & R halves • as for any Feistel cipher can describe as: Li = Ri–1 Ri = Li–1xor F(Ri–1, Ki) • F takes 32-bit R half and 48-bit subkey: • expands R to 48-bits using Expansion perm E • adds to subkey using XORE(R) XOR K – we get 48 bits which we split into 8 blocks 6 bits each • Substitute blocks using 8 S-boxes to get 32-bit result. • Each S-box has 4 rows and 16 columns • First and last bits determine the row, remaining 4 determine column • finally permutes using 32-bit perm P Confusion Dr. Monther Aldwairi

  20. 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 S1 S2 S3 S4 S5 S6 S7 S8 + + + + + + + + The Mangler Function Permutation Dr. Monther Aldwairi

  21. Calculation of F(R, K) Dr. Monther Aldwairi

  22. Substitution Boxes S • have eight S-boxes which map 6 to 4 bits • each S-box is actually 4 little 4 bit boxes • outer bits 1 & 6 (row bits) select one row of 4 • inner bits 2-5 (col bits) are substituted • result is 8 lots of 4 bits, or 32 bits • row selection depends on both data & key • feature known as autoclaving (autokeying) • Example S(18 09 12 3d 11 17 38 39) = 5fd25e03 Dr. Monther Aldwairi

  23. DES Sub keys Generation • To forms sub keys used in each round • initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves • 16 stages consisting of: • rotating each half separately either 1 or 2 places depending on the key rotation schedule K • selecting 24-bits from each half & permuting them by PC2 for use in round function F • note practical use issues in h/w vs s/w Dr. Monther Aldwairi

  24. DES Example Dr. Monther Aldwairi

  25. C0 Initial Permutation D0 C0 D0 • 49 41 33 25 17 9 • 58 50 42 34 26 18 • 2 59 51 43 35 19 • 19 11 3 60 52 44 36 • 55 47 39 31 23 15 • 62 54 46 38 30 22 • 6 61 53 45 37 29 • 21 13 5 28 20 12 4 Rotate left Rotate left Permutation to obtain the right-half of Ki Permutation to obtain the left-half of Ki C1 D1 • 52 31 37 47 55 • 40 51 45 33 48 • 49 39 56 34 53 • 46 42 50 36 29 32 • 17 11 24 1 5 • 28 15 6 21 10 • 19 12 4 26 8 • 16 7 27 20 13 2 Permutation with discard 48-bit K1 Generating the Per-Round Keys 56-bit key CPE 542 Network Security

  26. Process the Key Process the key Get a 64-bit key from the user Every 8th bit (the least significant bit of each byte) is considered a parity bit. For a key to have correct parity, each byte should contain an odd number of "1" bits.) The parity bits are discarded, reducing the key to 56 bits (8th , 16th ,…, 64th ). Dr. Monther Aldwairi

  27. Key Schedule Calculate the key schedule.Permuted Choice 1 (PC-1)57 49 41 33 25 17 91 58 50 42 34 26 1810 2 59 51 43 35 2719 11 3 60 52 44 3663 55 47 39 31 23 157 62 54 46 38 30 2214 6 61 53 45 37 2921 13 5 28 20 12 4 Split the permuted key (56 bits) into two halves. The first 28 bits are called C0 and the last 28 bits are called D0. Dr. Monther Aldwairi

  28. PC-1 M=0000000000000000000000000000000100000000000000000000000000000001 K=1000000000000000000000000000000010000000000000000000000000000000 The first round key is the computed as follows: PC-1(K)= 00010001000000000000000000000000000000000000000000000000 C0= 0001000100000000000000000000 D0= 0000000000000000000000000000 Dr. Monther Aldwairi

  29. Calculate Sub keys Calculate the 16 sub keys. Perform one or two circular left shifts on both Ci-1 and Di-1 to get Ci and Di, respectively. The number of shifts per iteration are given in the table below.Round # 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16Left Shifts 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1 Dr. Monther Aldwairi

  30. PC-2 Calculate the key schedule. Permuted Choice 2 (PC-2) contraction to 28 bit round key 14 17 11 24 1 53 28 15 6 21 1023 19 12 4 26 816 7 27 20 13 241 52 31 37 47 5530 40 51 45 33 4844 49 39 56 34 5346 42 50 36 29 32 Loop back to slide 24 until K16 has been calculated Dr. Monther Aldwairi

  31. PC-2 M=0000000000000000000000000000000100000000000000000000000000000001 K=1000000000000000000000000000000010000000000000000000000000000000 The first round key is the computed as follows: PC-1(K)= 00010001000000000000000000000000000000000000000000000000 C1= 1<<C0= 1<<0001000100000000000000000000 = 0010001000000000000000000000 D1= 1<<D0= 1<<0000000000000000000000000000 = 0000000000000000000000000000 PC-2(C1||D1)=PC-2(00100010000000000000000000000000000000000000000000000000) SK1= 000000100000000000010000000000000000000000000000 Dr. Monther Aldwairi

  32. DES Example Dr. Monther Aldwairi

  33. Process Data Block Initial Permutation (IP) on 64-bit data block 58 50 42 34 26 18 10 260 52 44 36 28 20 12 462 54 46 38 30 22 14 664 56 48 40 32 24 16 857 49 41 33 25 17 9 159 51 43 35 27 19 11 361 53 45 37 29 21 13 563 55 47 39 31 23 15 7 Dr. Monther Aldwairi

  34. Round i • Split the block into two halves. The first 32 bits are called L0, and the last 32 bits are called R0. • Apply the 16 sub keys to the data block. Start with SK1 • Expand the 32-bit Ri-1(R0) into 48 bits according • Expansion Permutation E 32 1 2 3 4 54 5 6 7 8 98 9 10 11 12 1312 13 14 15 16 1716 17 18 19 20 2120 21 22 23 24 2524 25 26 27 28 2928 29 30 31 32 1 • Exclusive-or E(Ri-1) with SKi Dr. Monther Aldwairi

  35. Round i/S-Boxes • Eight S-boex that accept 6 bit inputs and produce 4 bit outputs • Break E(Ri-1) xorSKiinto eight 6-bit input blocks. • Bits 1-6 are B1, bits 7-12 are B2, and so on with bits 43-48 being B8. • Take the 1st and 6th bits of Bjtogether as a 2-bit value indicating the row in Sj • Take the 2nd through 5th bits of Bjtogether as a 4-bit value indicating the column in Sjto find the substitution. Dr. Monther Aldwairi

  36. S-Boxes S1 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 015 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 S5 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 914 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 1411 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3 S2 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 1513 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9 S6 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 1110 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13 S3 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 813 7 0 9 3 4 6 10 2 8 5 14 12 11 15 113 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12 S7 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 113 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12 S4 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 1513 8 11 5 6 15 0 3 4 7 2 12 1 10 14 910 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14 S8 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11 Dr. Monther Aldwairi

  37. Permutation (P) • Permute the concatenation of B1 through B8 (32 bits) • Permutation P 16 7 20 2129 12 28 171 15 23 265 18 31 102 8 24 1432 27 3 919 13 30 622 11 4 25 • Exclusive-or the resulting value with Li-1. • Thus, all together, your Ri= Li-1xor P(S1(B1)...S8(B8)), where Bjis a 6-bit block of E(Ri-1) xorSKi. • The function for Ri is more concisely written as, • Ri-1 = Li-1xor f(Ri-1, Ki).) Dr. Monther Aldwairi

  38. Inverse Initial Permutation IP-1 • Loop back to slide 29 - Permutation E until SK16 has been applied • Perform the following permutation on the block R16L116. • Final Permutation (IP-1)40 8 48 16 56 24 64 3239 7 47 15 55 23 63 3138 6 46 14 54 22 62 3037 5 45 13 53 21 61 2936 4 44 12 52 20 60 2835 3 43 11 51 19 59 2734 2 42 10 50 18 58 2633 1 41 9 49 17 57 25 Dr. Monther Aldwairi

  39. DES Example DES round 1 Round key = 000000100000000000010000000000000000000000000000 L1= 00000000000000000000000000000001 R1= 00000000000000000000000000000001 Apply E: 100000000000000000000000000000000000000000000010 Xor K1: 000000100000000000010000000000000000000000000000⊕ 100000000000000000000000000000000000000000000010 = 100000||100000||000000||010000||000000||000000||000000||000010 S-Box S1: 0100 S-Box S2: 0000 S-Box S3: 1010 S-Box S4: 0001 S-Box S5: 0010 S-Box S6: 1100 S-Box S7: 0100 S-Box S8: 0010 P-Box: 10010000000100101000000110001100 Xor L1: 10010000000100101000000110001100⊕00000000000000000000000000000001 =10010000000100101000000110001101 R1kL1 = 00000000000000000000000000000001k10010000000100101000000110001101 16 round example @ http://www.adeptscience.co.uk/products/mathsim/maple/powertools/cryptography/HTML/DES-Example.html http://www.eventid.net/docs/desexample.asp Dr. Monther Aldwairi

  40. DES Decryption • decrypt must unwind steps of data computation • with Feistel design, do encryption steps again using subkeys in reverse order (SK16 … SK1) • IP undoes final FP step of encryption • 1st round with SK16 undoes 16th encrypt round • …. • 16th round with SK1 undoes 1st encrypt round • then final FP undoes initial encryption IP • thus recovering original data value Dr. Monther Aldwairi

  41. Avalanche Effect • key desirable property of encryption algorithm • where a change of one input or key bit results in changing approx half output bits • making attempts to “home-in” by guessing keys impossible • DES exhibits strong avalanche • Permutation E Dr. Monther Aldwairi

  42. Strength of DES – Key Size • 56-bit keys have 256 = 7.2 x 1016 values • brute force search looks hard • recent advances have shown is possible • in 1997 on Internet in a few months • in 1998 on dedicated h/w (EFF) in a few days • in 1999 above combined in 22hrs! • still must be able to recognize plaintext • must now consider alternatives to DES Dr. Monther Aldwairi

  43. Average time required for exhaustive key search Taken from Henric Johnson’s slides Dr. Monther Aldwairi

  44. Strength of DES – Analytic Attacks • now have several analytic attacks on DES • these utilise some deep structure of the cipher • by gathering information about encryptions • can eventually recover some/all of the sub-key bits • if necessary then exhaustively search for the rest • generally these are statistical attacks • differential cryptanalysis • linear cryptanalysis • related key attacks Dr. Monther Aldwairi

  45. Differential Cryptanalysis • Murphy, Biham & Shamir published in 90’s • powerful method to analyze block ciphers • used to analyze most current block ciphers with varying degrees of success • DES reasonably resistant to it • a statistical attack against Feistel ciphers • uses cipher structure not previously used • design of S-P networks has output of function f influenced by both input & key • hence cannot trace values back through cipher without knowing value of the key • differential cryptanalysis compares two related pairs of encryptions Dr. Monther Aldwairi

  46. Differential Cryptanalysis • have some input difference giving some output difference with probability p • if find instances of some higher probability input / output difference pairs occurring • can infer subkey that was used in round • then must iterate process over many rounds (with decreasing probabilities) Dr. Monther Aldwairi

  47. Compares Pairs of Encryptions • with a known difference in the input • searching for a known difference in output • when same subkeys are used Dr. Monther Aldwairi

  48. Differential Cryptanalysis Dr. Monther Aldwairi

  49. Differential Cryptanalysis • perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR • when found • if intermediate rounds match required XOR have a right pair • if not then have a wrong pair, relative ratio is S/N for attack • can then deduce keys values for the rounds • right pairs suggest same key bits • wrong pairs give random values • for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs • Biham and Shamir have shown how a 13-round iterated characteristic can break the full 16-round DES Dr. Monther Aldwairi

  50. Linear Cryptanalysis • another recent development • also a statistical method • must be iterated over rounds, with decreasing probabilities • developed by Matsui et al in early 90's • based on finding linear approximations • can attack DES with 243 known plaintexts, easier but still in practise infeasible Dr. Monther Aldwairi

More Related